Tendril is an open-source agent that builds its own tools as it goes. Most agent frameworks hand the model a big collection of pre-built tools and hope it picks the right one. Tendril flips this. It starts with three bootstrap tools. When the model needs something new, it writes the tool, registers it, and runs it without asking permission. Next time that capability is needed, it's already there.
The project runs on AWS Strands Agents SDK inside a Tauri desktop shell, with Claude Sonnet 4.5 handling inference through AWS Bedrock. A Rust-based host talks to a Node.js agent process via JSON-RPC, and generated tools execute in a Deno sandbox. The capability registry is just plain files on disk (an index. plus TypeScript files). The system prompt explicitly tells the model to never ask whether to create a tool, just build it. When a tool fails, the agent reads the error, patches the code, and retries.
Commenters on Hacker News flagged real problems with this approach. Registry bloat is one. Security runs deeper. A malicious prompt could trick the model into building tools that contain backdoors or exfiltrate data, creating a prompt injection vulnerability. Since there's no human verification step, those tools stick around for future sessions. The Deno sandbox limits the blast radius, but sandbox escapes happen. Others in the thread noted similar patterns already running in production, including Claude Code's self-extension capabilities and ULTRON, a Telegram bot that does autonomous tool generation.
Caching generated solutions so you don't burn tokens rebuilding them is pragmatic. The pattern is spreading across agent implementations. What Tendril adds is an open, inspectable reference. The security questions it raises are the same ones the whole autonomous agent space is going to have to answer honestly.